How to Achieve Secure Remote Mobile App Access with MicroVPN
MicroVPNs are virtual private networks that are specific to an application instead of a device. The purpose of using a MicroVPN in mobile apps is to enable Bring Your Own Device (BYOD) and avoid deploying a VPN client to every device. MicroVPNs allow mobile apps to establish direct and seamless access to corporate resources without a VPN on the device. This Knowledge Base explains how anyone can use Appdome to achieve secure remote mobile access with MicroVPN.
How to Achieve Secure Remote Mobile App Access with MicroVPN
Appdome is a no-code mobile app security platform designed to add security features in mobile apps.
Appdome’s no-code mobile app security platform offers mobile developers, DevSec and security professionals a convenient and reliable way to protect Android and iOS apps without coding. When a user clicks “Build My App,” Appdome leverages a microservice architecture filled with 1000s of security plugins, and an adaptive code generation engine that matches the correct required plugins to the development environment, frameworks, and methods in each app.
Using Appdome, there are no development or coding prerequisites to build secured apps. There is no SDK and no library to manually code or implement in the app. The Appdome technology adds the relevant standards, frameworks, stores, and logic to the app automatically, with no manual development work at all.
Appdome MicroVPN is a flexible, all-in-one, mobile enterprise connectivity solution that supports any enterprise standard network gateway such as an SSL gateway, proxy, reverse proxy, or industry standard VPN. Appdome MicroVPN eliminates the need for mobile device VPNs or per application VPNs. Using Appdome MicroVPN each mobile app connects directly and securely to enterprise infrastructures.
Appdome’s MicroVPN does not require all web service endpoints to be published via a gateway or code change to apps to repoint to the newly published addresses of services. Appdome’s MicroVPN can use any SSL gateway, including Microsoft App Proxy, Netscaler and more in two main modes: transparent mode which does not require resources to be publicly published, and reverse proxy mode which is intended for publicly resolvable resources. Modes can also be set on a per resource basis, providing full granular control over the access and connectively model.
Using Appdome, there are no development or coding prerequisites. For example, there is no Appdome SDK, libraries, or plug-ins to implement. Likewise, there are no required infrastructure changes and no dependency on having standard or proprietary VPN protocols inside the mobile apps. The Appdome technology adds MicroVPN and relevant standards, protocols and more to the mobile app automatically.
Appdome for Mobile MicroVPN offers two modes:
On Appdome, you can enable a mobile app to use MicroVPN in two different modes of operation:
- Direct Connection Mode (default)
In this mode, the Appdome MicroVPN layer will act as a secure gateway between the application and the world. Inside the Appdome-Built application, the original application connects to the Appdome MicroVPN layer. This internal connection is protected by Appdome Security and not visible to the outside world. The Appdome MicroVPN Layer connects securely to the corporate gateway. The Appdome MicroVPN layer authenticates to the corporate gateway, enabling secure mobile app access to internal resources.
- Transparent Proxy Mode:
In this mode, the Appdome MicroVPN layer routes its connection request to a proxy server, so that the proxy server can act as the secure gateway. Corporate proxies are typically accessible via the Internet. The Appdome MicroVPN layer tunnels a secure connection to the proxy to allow the original application to privately connect to the corporate network.
Appdome for Mobile MicroVPN Features:
Inclusive routing means you can decide that only some domains (regular expressions can be used) are securely connected using MicroVPN, while other connections that are not included in the domain list are allowed to pass directly. This gives you the option to choose particular settings different domains, which is especially useful for defining multiple profiles with different configurations.
The most straightforward way of ensuring that connections between mobile apps and corporate networks are secure is to restrict the parameters of the connection. Appdome allows you to control two important parts of the connection used by the Appdome MicroVPN layer.
- Strict Protocol Checking, only connections to protocols in a pre-defined list are permitted. This prevents connections from the built application to less secure destinations from being established.
- Server Validation, after establishing a connection to a destination, the Appdome-fused app can do advanced checks to verify that the destination is who it says it is and is not a fake or malicious destination that impersonates your destination.
When Strict Protocol Checking is enabled, built apps will only be able to make connections to secure servers using these algorithms:
DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES256-SHA256, DHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES128-SHA256.
Static Client Pinning
A more advanced security measure is to apply restrictions on the server or gateway which is the destination for the mobile app. If you set up the server or gateway to only accept connections from clients that can identify themselves using specific client certificates, Appdome can integrate the certificates needed to identify the client and present them as part of the secured connections.
Dynamic Client Pinning
Dynamic client pinning is an enterprise extension for static client pinning. It allows the use of a unique client-side certificate distributed by a SCEP server on a per-user basis. Currently, users are identified when fusing an app together with MicroVPN and Microsoft Intune. For more details read this article.
Appdome allows you to define one or more profiles to configure all the above settings. In this manner, you can protect some domains with Static Client Pinning, while protecting others by securing them using Transparent Proxy mode. Note: When using multiple profiles, all the profiles should be set up with Inclusive Routing in order to have the handling of each domain well defined.
Prerequisites for adding MicroVPN by Appdome
In order to use Appdome’s no code implementation of MicroVPN on Appdome, you’ll need:
- Appdome account – IDEAL or Higher.
- Mobile App (.ipa for iOS, or .apk or .aab for Android)
- Enterprise-grade SSL gateway, proxy, reverse proxy, or industry standard VPN that is the authentication or termination endpoint for the MicroVPN
- List of internal domains the mobile app will access
- Client-side certificates (PEM+key) for Static Client Pinning
- Signing Credentials (e.g., signing certificates and provisioning profile)
9 Easy Steps to Achieve Secure Remote Mobile App Access with MicroVPN
Follow these step-by-step instructions to add MicroVPN to mobile apps on Appdome:
Upload a Mobile App to Your Account
Please follow these steps to add a mobile app to your Appdome account.
If you don’t have an Appdome account, click here to create an account.
From the “Build” tab, select “Access” category
- Go to the Access tab
- Toggle on Mobile Access and MicroVPN Profiles
- Select scheme MicroVPN by Appdome
Note! that all the features are optional, and any combination can be chosen. If none of the features are on, Appdome will take basic measures to ensure connection hardening (by ensuring the application’s connection uses a secure TSL/SSL connection).
- Toggle on the Inclusive Routing feature when you can click + Add button to add domains that will be protected. When this toggle is off all domains are protected (and you can only have a single profile). You can add multiple domains or use * as a wildcard that will match any sub-domain.
- Toggle on Transparent proxy mode and enter the proxy domain (can contain port in the standard format host:port)
- Toggle on session hardening to enable Strict Protocol Checking and/or Server Validation.
- Toggle on Static Client Pinning and add the client certificate. The certificate is added in PEM format as two separate files, the certificate itself and its key file.
- Click on Add profile to set up more profiles for your app
- Click Build My App
The technology behind Build My App has two major elements – (1) a micro service architecture filled with 1000s of code sets needed for mobile integrations, and (2) an adaptive code generation engine that can recognize the development environment, frameworks and methods in each app and match the app to the relevant code-sets needed to add MicroVPN to the mobile app in seconds.
Congratulations! When your implementation is complete, you’ll see the notice below. You now have a mobile app fully integrated with MicroVPN.
After Adding MicroVPN to a Mobile App on Appdome
After you have added MicroVPN to any mobile app on Appdome, there are a few additional steps needed to complete your mobile integration project.
Add Context™ to the Appdome-Built App
Appdome is a full featured mobile integration platform. Within Context™, Appdome users can brand the app, including adding a favicon to denote the new service added to the application.
For more information on the range of options available in Context™, please read this knowledge base article.
Sign the MicroVPN enabled Appdome-Built App (Required)
In order to deploy an Appdome-Built application, it must be signed. Signing iOS app and Signing an Android app are easy using Appdome. Alternatively, you can use Private Signing, download your unsigned application and sign locally using your own signing methods.
Deploy the Appdome-Built App to a Mobile Device
Once you have signed your Appdome-Built application, you can download to deploy it using your distribution method of choice. For more information on deploying your Appdome-Built applications, please read this knowledge base.
That is it – Enjoy MicroVPN in your application!
How Do I Learn More?
If you have any questions, please send them our way at firstname.lastname@example.org or via the chat window on the Appdome platform.